On Sun, Oct 23, 2016 at 07:24:42PM +0200, Jan Danielsson wrote:
> Hello,
>
> I have a minimal npf installation on a host which works fine, but now
> I want to move my router to netbsd-7 with npf. After some trial and
> error I realize I need some assistance.
>
> The basic layout is:
> - re0 is the external connection to the ISP. The IP is assigned
> using dhcpcd.
> - wm0; 192.168.72.0/24 network
> - wm1; 192.168.92.0/24 network
> - wm2; 192.168.124.0/24 network
>
> What I want to accomplish is to allow incoming ssh on re0, but that's
> the only allowed incoming connection. All the systems on the wm0, wm1
> and wm2 networks should be able to make NAT'ed external connections
> through re0.
>
> The configuration I have allows the wm{0,1,2} systems to access the
> router (nslookup, ping, ssh), but can not make external connections.
>
> ---------------------------------------
> $ext_if = "re0"
> $ext_v4 = inet4(re0)
>
> $int_if = "wm0"
> $media_if = "wm1"
> $wifi_if = "wm2"
>
> $private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }
>
> map $ext_if dynamic 192.168.72.0/24 -> $ext_v4
> map $ext_if dynamic 192.168.92.0/24 -> $ext_v4
> map $ext_if dynamic 192.168.124.0/24 -> $ext_v4
>
> procedure "log" {
> log: npflog0
> }
>
>
> group "external" on $ext_if {
> #ruleset "blacklistd"
>
> # Allow DHCP requests (even to reserved addresses).
> pass out final proto udp from any port bootpc to any port bootps
> pass in final proto udp from any port bootps to any port bootpc
> pass in final proto udp from any port bootps to 255.255.255.255 port
> bootpc
>
> # Allow DNS queries
> pass stateful out final proto udp to any port domain
>
> # Block IANA-reserved addresses from entering or exiting
> block in final from $private_addr apply "log"
> block out final to $private_addr apply "log"
>
> pass stateful out final proto tcp all
> pass stateful out final proto udp all
> pass stateful out final proto icmp all
>
> # Prevent IP spoofing attacks on the firewall
> block in final from 127.0.0.1 apply "log"
>
> # Services
> pass in final proto tcp to any port ssh apply "log"
>
> # Only allow selected ICMP types
> pass in final proto icmp icmp-type echo all apply "log"
> pass in final proto icmp icmp-type timxceed all
> pass in final proto icmp icmp-type unreach all
> pass in final proto icmp icmp-type echoreply all
> pass in final proto icmp icmp-type sourcequench all
> pass in final proto icmp icmp-type paramprob all
> pass in final proto ipv6-icmp all
> }
>
> group "internal" on $int_if {
> # Pass everything to internal networks,
> pass final all apply "log"
> }
>
> group "media" on $media_if {
> # Pass everything to media networks,
> pass final all apply "log"
> }
>
> group "wifi" on $wifi_if {
> # Pass everything to wifi networks,
> pass final all apply "log"
> }
>
> group default {
> # Loopback interface should allows packets to traverse it.
> pass final on lo0 all
>
> # Block everything by default.
> block final all apply "log"
> }
> ---------------------------------------
>
> In addition to not being able to make outbound connections from the
> systems on the wm* interfaces, the router can not be ping:ed from
> Internet (using a laptop+mobile) (No logs are generated on npflog0 when
> I try to ping the router).
>
> ... help?
Did you start NPF before or after you obtained your upstream IP address?
I've found I have to bounce NPF every time my uplink changes. I used
dhcpcd-run-hooks(8) to make this automatic.
